CVE-2021-26857

HIGH KEV RANSOMWARE

Microsoft Exchange Server - Remote Code Execution via Unsafe Deserialization

Title source: llm

Exploitation Summary

CVE-2021-26857 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021, with confirmed use in ransomware campaigns. EIP tracks 1 public exploit from researchers including sirpedrotavares.

AI-analyzed exploit summary This is a functional exploit for CVE-2021-26857, targeting Microsoft Exchange Server to achieve remote code execution via server-side request forgery (SSRF) and authentication bypass. The exploit writes a malicious ASPX shell to the server, enabling arbitrary command execution.

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

Exploits (1)

nomisec WORKING POC 112 stars

by sirpedrotavares · remote

https://github.com/sirpedrotavares/Proxylogon-exploit

View Code ZIP pw:eip

This is a functional exploit for CVE-2021-26857, targeting Microsoft Exchange Server to achieve remote code execution via server-side request forgery (SSRF) and authentication bypass. The exploit writes a malicious ASPX shell to the server, enabling arbitrary command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Exchange Server 2013, 2016, 2019

No auth needed

Prerequisites: Network access to the Exchange Server · Valid email address for the target server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Vendor Advisory x_refsource_misc

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26857

Scores

CVSS v3 7.8

EPSS 0.9401

EPSS Percentile 99.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-03-02

InTheWild.io 2021-03-02

ENISA EUVD EUVD-2021-13641

Ransomware Use Confirmed

CWE

CWE-502

Status published

Products (4)

microsoft/exchange_server 2010 sp3

microsoft/exchange_server 2013 cumulative_update_22 (3 CPE variants)

microsoft/exchange_server 2016 cumulative_update_10 (12 CPE variants)

microsoft/exchange_server 2019 (9 CPE variants)

Published Mar 03, 2021

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026